AS-REQ using SPN
Andrew Bartlett
abartlet at samba.org
Wed Nov 15 22:20:53 UTC 2017
On Wed, 2017-11-15 at 22:18 +0100, Ralph Böhme via samba-technical
wrote:
> On Thu, Nov 16, 2017 at 06:51:54AM +1300, Andrew Bartlett wrote:
> > Can you show me the full LDIF for that account, and if at all possible
> > a network capture?
>
> sure.
>
> dn: CN=Foo Foo,CN=Users,DC=riverside,DC=site
...
> sAMAccountName: foo
> sAMAccountType: 805306368
> userPrincipalName: foo/win2016.riverside.site at RIVERSIDE.SITE
> lockoutTime: 0
> servicePrincipalName: foo/win2016.riverside.site
> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=riverside,DC=site
> dSCorePropagationData: 16010101000000.0Z
> lastLogonTimestamp: 131552130336033649
Thanks!
So that looks to me like it is using the userPrincipalName, not the
servicePrincipalName. I've not seen this work unless the UPN is set
(and even then there appear to be restrictions based on the principal
type).
I'll lock this down with some more tests, so far they indicate that the
userPrincipalName is the only reason it works, and only for name type
KRB5_NT_PRINCIPAL_NAME.
Thanks,
Andrew Bartlett
--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team https://samba.org
Samba Development and Support, Catalyst IT
https://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list